On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.
BCSC 2021 Roundtable: Data protection and privacy-related implications of a migration to the cloud
16 November 2021 – Cyber Security Coalition
Data protection and privacy-related implications of a migration to the cloud – Roundtable
David Dab, National Technology Officer Microsoft Belux
Laurent Bounameau, DPO & Cyber Security Advisor (CISO) Federal Police Belgium
Magali Feys, IP, IT & Data Protection Lawyer AContrario.Law
Bojan Spasic, Cyber Security Technology Partner Manager SWIFT
Moderator: Bruno Wattenbergh, Chairman of the EY Belgium Innovation Board Professor of Strategy & Entrepreneurship at Solvay Business School
So, your company has decided to make ICT life easier by migrating to the cloud. Easy pie, just ring a reputable cloud provider? Unfortunately, there may be some data protection and privacy hurdles to jump, as we learned at the 2021 Belgian Cyber Security Convention (BCSC).
Yes, modern cloud environments are in most cases the safest and/or most secure place, because of automation, focus on operational security and more. But…. Lawsuits as Schrems II threw a wrench in the practice of international data transfers, because of location and ownership of cloud infrastructure centers. Plenty of norms and standards insure physical reliability and more of cloud environments, but privacy-wise the (legal) debate is still going on. More specifically, users should consider cloud ‘safety’ of ‘security’ from the point of view of ‘what are my risks?’ or ‘what is the right set-up in my case?’ That fits within the inherent ‘risk-based’ nature of the European privacy law GDPR.
Does the GDPR kill off innovation as e.g. provided by cloud environments? Not quite. GDPR demands data-protection in solutions and environments ‘by design’ and ‘by default’, and to be careful when handling personal data. Provided all necessary security elements are implemented, cloud environments can provide a faster way to ISO 27001 security compliance than going for this certification on premise (e.g., by more easily keeping up with changes in systems, perimeter etc.). In short, the GDPR is a non-technical answer to a technology problem, and it’s now up to technology to continue innovating.
Much privacy-enhancing technology is already in place, as encryption of data in transit and at rest. New developments target trust and confidentiality during processing by means of ‘computational encrypted data’ (homomorphic encryption), preventing leaks in memory. This kind of computing may be ultimately preferable to the (allowed by GDPR) technique of pseudonymization (the latter being subject of conflicting views at this roundtable). Other possibilities include processing without exchanging data, differential privacy (i.e. publicly sharing info about a dataset by describing the patterns of groups, while withholding info about individuals) and synthetic data generation (i.e. creating a subset of anonymized data). Also, more attention should be paid to the exact nature of data an application requires (e.g., an application counting people in streets for crowd control does not need actual images of the people, but only clear contours of those people).
New threats will require yet other innovations, as against attacks through machine learning (e.g. by poisoning the data set used to train the application) and AI (e.g. de-anonymization).
Actually, even privacy-enhancing technology may impact the privacy rights of a data subject. For instance, if somebody’s data has been rendered anonymized and included in a data set, it becomes impossible to enforce this person’s right that his data may not be used in machine learning.
Clearly, this roundtable presented an interesting and heady brew mix of technological and privacy concerns, going way beyond the specific subject of migration to the cloud. Well worth to be viewed again!
You can (re)watch the roundtable clicking on this link. The recording can be found in the section 7 – Belgian Cyber Security Convention.
Other blog posts
The fast changing threat landscape is countered by an equally fast changing security. So what is today’s ‘state-of-the-art’ security technology, and what more can we expect? At the 2021 Belgian Cyber Security Convention, top companies drew a picture of today’s security ‘art’.
Cyber security remains an urgent and complex challenge for companies of all sizes. But how to instill this urgency in top-management and board levels, with appropriate information? Who better to answer this question than top-cyber security practitioners, at the 2021 Belgian Cyber Security Convention ?
The second webinar of the Privacy Focus Group on the subject of ‘Artificial Intelligence’ (AI) tackles a major challenge: how to reconcile the use of AI with the demands of GDPR, particularly regarding data protection? It is still very much unknown territory for developers, users and privacy protection officers. This webinar helps you find your way!
API’s (Application Programming Interfaces) are ubiquitous and used to interconnect all our popular web applications. Without API’s, applications cannot communicate and we would simply not be able to use the majority of the current cloud and web applications. But at the same time, because of these API’s, security threats are greater than ever. API attacks are different compared to traditional attacks: they target vulnerabilities in the business logic, and hackers exploit these zero-day vulnerabilities.